Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Upcoming SlideShare
Loading in...5
×
 

Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH

on

  • 3,255 views

Lunch and learn session from HIMSS Show sponsored by Novell and Cynergistek

Lunch and learn session from HIMSS Show sponsored by Novell and Cynergistek

Statistics

Views

Total Views
3,255
Views on SlideShare
3,254
Embed Views
1

Actions

Likes
0
Downloads
50
Comments
0

1 Embed 1

http://wwwstage.provo.novell.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH Presentation Transcript

  • Information Security & Compliance in Healthcare Beyond HIPAA and HITECH
  • Why Does Health Data Even Exist?
    • People choose to disclose their most intimate information to get the best treatment.
    • Doctors earn trust by guaranteeing privacy.
    • No privacy = people avoid treatment, lie or omit information, and get sicker .
    • No American should ever have to choose between care and privacy. They deserve both .
  • Agenda Why traditional approaches don’t work 1 Dealing with the complexity in Healthcare 2 Adding Privacy to the Matrix 3 Correlation is Key 4 Questions & Answers 5
  • Healthcare’s Immaturity
    • Slightly less than half have a dedicated Information Security Officer
    • Roughly 30% have invested in automated log management tools
    • The average size of an information security group today – less than three.
    • Average years experience in information security – less than five.
  • An Evolving Threat
    • Threats persist with a goal of notoriety.
    • Threats are visible and indiscriminate.
    • “ Big splash” approach.
    • Threats are fleeting with a goal of profit.
    • Threats are silent and highly targeted to exploit target or steal data.
    Fame Fortune People, Identities, & Information Computers & Networks
    • Attackers are increasingly developing highly sophisticated methods with the goal to penetrate rather than destruct.
    • We (Symantec) have seen sources of data change and plenty of evidence of “collateral damage”.
  • Data Breaches by Sector – Healthcare is #2 Good news: Bad news: Symantec Corp. Global XV Internet Security Threat Report Few exposed identities The number of breaches is high (reporting mandates is part contributor)
  • An Enormous Challenge
    • Hundreds/thousands of applications and systems each producing scores of logs per minute.
    • Hundreds or thousands of users generating logs from their activity.
    • Organizations need to collect, compile, pars, analyze, correlate and report.
  • Current State of Log Management
    • Manual, reactive processes of the past are simply not adequate to meet today’s security, privacy and compliance mandates.
      • Overwhelming manual process
      • Specialized audits of high profile patients
      • Reactive audits in response to complaints
  • Disjointed Efforts
    • Privacy and Compliance organizations have focused on application monitoring
    • Technical and Security organizations have focused on monitoring events affecting security of the IT infrastructure and systems
    • This approach is inefficient and adds to the risk of exploitation
  • Agenda Why traditional approaches don’t work 1 Dealing with the complexity in Healthcare 2 Adding Privacy to the Matrix 3 Correlation is Key 4 Questions & Answers 5
  • Regulatory Landscape
    • Federal Laws
      • HIPAA Privacy & Security Rules
      • HITECH requirements
      • Confidentiality of Alcohol and Drug Abuse Patient Record Rules (42 CFR part 2)
      • Federal Privacy Act
      • Payment Card Industry, Data Security Standard
    • State Laws
      • Much variation
    • Contractual Requirements
  • What’s Happening To My Data?
    • Greater Access
    • Business Associates
    • Breach Notification
    • Accounting for Disclosures
    • Behavioral Modeling
    • Normalization of Users
    • Patient Identification
  • What’s New
    • Capabilities to link data
    • Capabilities to look up patient information
    • Opportunities for greater consumer involvement
    • Opportunities for greater patient electronic access to their information
    • Opportunities for enhanced protections
  • Top Security Trends in Healthcare for 2011
    • More small scale data breaches
    • Low-tech theft, data stolen through non-electronic means
    • Continuing crisis of lost devices
    • Data minimization increasingly essential part of data security plans
    • Increased collaboration & sharing will increase vulnerability
    • Organizations will implement social networking policies
    • Data encryption will be seen as a “golden ticket” to compliance
    • 3 rd Parties will face more stringent breach notification
    • Privacy awareness training will gain prominence as essential to breach preparedness
    • Possibility of Fed breach notification is high for 2011
    Kroll's Fraud Solutions, January 3, 2011
  • What We Need
    • A true health care solution that takes an integrated approach to all logging, monitoring, audit, and review activities.
    • A solution that is intelligent enough to deliver a unified view of compliance.
    • And smart enough to incorporate privacy monitoring and tie it back to other activity on the network.
  • Agenda Why traditional approaches don’t work 1 Dealing with the complexity in Healthcare 2 Adding Privacy to the Matrix 3 Correlation is Key 4 Questions & Answers 5
  • The Old Model
    • Traditional SIEM and Log Management platforms present views in silos, typically through add on modules such as:
      • HIPAA
      • PCI/DSS
      • ITIL
      • ISO
  • A New Paradigm
    • A multidimensional approach that incorporates:
      • Operations
      • Security
      • Compliance
      • Privacy
      • Correlation
  • Where The Data Is
    • To address Privacy rules, today’s SIEM need to be able to collect and correlate information from Healthcare Applications.
    • Current technologies only address the traditional operations, compliance and security event logs.
    • The model for healthcare needs to evolve to include privacy information (User Activity).
  • One Big Challenge – User Identity
    • There are two critical components to this challenge – User Logins and Roles
    • Most healthcare organizations do not have mature role based access in place
    • Logins vary by system and single User may have many unique Logins
    • Identity management will become a critical success factor for Healthcare compliance
  • Top Privacy Trends in Healthcare for 2011
    • HIEs will be launched by inexperienced and understaffed organizations
    • Increased fines and regulatory action by AGs
    • Data breach costs will increase as penalties enforced
    • Hospital Boards will exert their power to manage data risks to increase accountability & fiduciary responsibility
    • A significant “data spill” is inevitable
    • There will be heightened patient awareness/concern over the security of their medical data
    • Final data breach notification from HHS
  • Correlation is Key
    • The ability to pull together multiple pieces of identity based information from multiple sources, and then automatically normalize and make sense of that information, is what is needed to accurately identify who did what and when.
  • Agenda Why traditional approaches don’t work 1 Dealing with the complexity in Healthcare 2 Adding Privacy to the Matrix 3 HITECH 4 Questions & Answers 5
  • Meaningful Use
    • A primary goal of HITECH is the adoption and Meaningful Use interoperable health information technology and electronic health records.
    • Meaningful use requires the logging of all PHI actions that occur to include viewing.
    • Meaningful use requires unique identifiers and Logins.
  • Accounting for Disclosures
    • HITECH gives patients the right to request an accounting of who has had access to their information.
    • This arguably extends the monitoring requirement beyond the core EHR to other systems (finance/insurance).
    • A key component of Accounting for Disclosures is determining appropriate access.
  • Breach Notification
    • HITECH provides very specific notification requirements if unsecured patient information is accessed, acquired or disclosed as a result of a breach.
    • SIEM can assist in early detection of breaches and aid in limiting impact.
    • SIEM can also aid in forensic analysis of what happened and who was involved.
  • Frequent Themes
    • Frustration with primarily reactive processes
    • Frustration with time consuming manual processes
    • Lack of confidence in manual searches
    • Desire to mitigate potential public embarrassment
    • Gaps in current SIEM/Log Management solutions to address clinical applications
    • Lack of log/audit functionality in systems
  • The Ideal Healthcare SIEM
    • Multidimensional compliance matrix that measures against an integrated set of requirements.
    • A distinct approach that elevates Privacy to the same level as operations, security and compliance and correlates across all.
    • An ability to tie in Identity Management and normalize for user ID and role.
    • An established set of reports and alerts
  • Agenda Why traditional approaches don’t work 1 Dealing with the complexity in Healthcare 2 Adding Privacy to the Matrix 3 Correlation is Key 4 Questions & Answers 5